[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Protocols that refer AH (was: Death to AH)



VRRP also talks about AH (<draft-ietf-vrrp-spec-v2-05.txt>), although it is
not integral to the protocol.
5.3.6.3 IP Authentication Header.

Seeing that AH does authenticate more then ESP (the outside IP Header), has
there been any discussion on making a header that combines ESP and AH? I
know that ESP NULL provides just authentication, but not the same coverage
as AH.

Scott
----- Original Message -----
From: "Jari Arkko" <jari.arkko@kolumbus.fi>
To: <sommerfeld@East.Sun.COM>; "Jun-ichiro itojun Hagino"
<itojun@iijlab.net>
Cc: "IP Security List" <ipsec@lists.tislabs.com>
Sent: Saturday, March 24, 2001 10:43 AM
Subject: Protocols that refer AH (was: Death to AH)


>
> > here are a (probably incomplete) list of protocols that says "use
> > IPsec to secure traffic".  in IPv4 they provided upper-layer mechanism
> > to secure the protocol, and now they do not provide upper-layer
> > mechanism for IPv6 because they rely upon IPsec
> > though I need to diagnose each of them further, my take is that
> > for routing protocols we prefer transport mode AH than ESP.
> >
> > - mobile-ip6
> > a lot of extension headers need protection, we do not really
> > want encryption for most of these
> > - RIPng (RFC2080)
> > explicitly refers AH and ESP
> > - OSPFv3 (RFC2740)
> > explicitly refers AH and ESP
> > - IPv6 router renumbering (RFC2894)
> > tries to protect site-local multicast by IPsec!
> > - IPv6 tunnel broker (RFC3053)
>
> A lot of pure IPv6 (e.g. RFC 2461) refers explicitly to AH (see
> e.g. section 4.1). I consider this to be a bug, but thought that
> I should mention that many such references exist.
>
> Jari
>
>
>



References: